I just started working here about 6 months ago and this organization has their backbone router (18.104.22.168, cisco 2610) with a default gateway setting of 0.0.0.0 0.0.0.0 22.214.171.124. Where .89 is the inside interface of a Sun Microsystems Cobalt Qube3. This device has an External Interface of 74.xxx.xxx.130 and it has a default gateway setting of 74.xxx.xxx.129 where .129 is the address of our Bellsouth managed router that our T1 Line is on.
They bought a Cisco ASA 5510 before I got here and all they've been using it for is a VPN endpoint so i'm trying to get all the traffic going out through the ASA instead of the Qube so we can decomission it. I have internet access working. I switched the default gateway of 126.96.36.199 (the backbone router) to 0.0.0.0 0.0.0.0 188.8.131.52 where 29 is the internal interface of the ASA. I then configured the ASA with an outside interface address of 74.xxx.xxx.149 and made it's default gateway 0.0.0.0 0.0.0.0 74.xxx.xxx.129.
So now i have all my traffic going out through the ASA no problem. I made the switch last night, tested it, and everything looked good. Came in this morning and my users are telling me hey we aren't getting any emails from external sources. So I login to Postini and sure enough the Delivery Manager is set to deliver to 74.xxx.xxx.130 (the outside address of the old Qube.) Ok, so I Change this address to 74.xxx.xxx.149 (the outside address of the ASA.)
Well that didn't fix it, as Postini is reporting that it cannot connect to 74.xxx.xxx.149.
FYI the ip addy of our exchange server is 184.108.40.206 and Postini's Network range is 220.127.116.11 255.255.240.0.
So I go into the ASA config and add:
access-list [outside interface name]_access in extended permit tcp 18.104.22.168 255.255.240.0 host 74.xxx.xxx.149 eq smtp
access-group [outside interface name]_access_in in interface [outside interface name]
access-list [inside interface name]_access_out extended permit tcp host 22.214.171.124 126.96.36.199 255.255.240.0 eq smtp
access-list [inside interface name]_access_out extended deny tcp any any eq smtp
access-list [inside interface name]_access_out extended permit ip any any
access-group [inside interface name]_access_out in interface inside
No dice, Postini's Web interface Still reports that it cannot connect to 74.xxx.xxx.149.
I can run a traceroute from postini's web interface to 74.xxx.xxx.149 and it gets there successfully so obviously the ASA is letting ICMP packets in.
The funny thing is If i send an email OUT from inside to my gmail I get it just fine, but when I try to reply back IN I never get the email, but I never get a bounceback in my gmail box of ANY KIND.
What am I doing wrong here?